2 Replies Latest reply on Aug 12, 2013 8:22 PM by John Ament

    Best practice - SAML based authentication and REST APIs

    John Ament Master

      Hi all


      Is there a best practice for using PicketLink to secure REST APIs that are behind a SAML based authentication scheme?  Right now, I have both a SAML SP and IDP (under direct control).  I use REST for all of my server interaction.  I want to account for both stateful operations (user in a browser doing something) as well as stateless operations (a server interacting with our REST API).  Do I need to essentially handle a cookie for this?


      I've considered breaking out the REST API to support both into a common jar and bringing it into two projects, one that uses the SP/IDP authentication, the other using a local authentication (all of these apps are deployed together on the same server, can access to the same security realms).


      I'm currently using AS 7.1.1 w/ picketlink 2.1.7.